File CVE-2021-33571.patch of Package python-Django1
From 048eb4f1ac4756a0ae496a77c10ee53a54a69d67 Mon Sep 17 00:00:00 2001
From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Date: Tue, 25 May 2021 11:57:59 +0200
Subject: [PATCH] [2.2.x] Fixed CVE-2021-33571 -- Prevented leading zeros in
IPv4 addresses.
validate_ipv4_address() was affected only on Python < 3.9.5, see [1].
URLValidator() uses a regular expressions and it was affected on all
Python versions.
[1] https://bugs.python.org/issue36384
---
django/core/validators.py | 14 +++++++++++++-
docs/releases/2.2.24.txt | 13 +++++++++++++
tests/validators/invalid_urls.txt | 8 ++++++++
tests/validators/tests.py | 20 ++++++++++++++++++++
tests/validators/valid_urls.txt | 6 ++++++
5 files changed, 60 insertions(+), 1 deletion(-)
diff --git a/django/core/validators.py b/django/core/validators.py
index ea18685fdb46..fb81fa80fc51 100644
--- a/django/core/validators.py
+++ b/django/core/validators.py
@@ -77,10 +77,10 @@ class RegexValidator(object):
@deconstructible
class URLValidator(RegexValidator):
- ul = '\u00a1-\uffff' # unicode letters range (must be a unicode string, not a raw string)
+ ul = '\u00a1-\uffff' # unicode letters range (must not be a raw string)
# IP patterns
- ipv4_re = r'(?:25[0-5]|2[0-4]\d|[0-1]?\d?\d)(?:\.(?:25[0-5]|2[0-4]\d|[0-1]?\d?\d)){3}'
+ ipv4_re = r'(?:0|25[0-5]|2[0-4]\d|1\d?\d?|[1-9]\d?)(?:\.(?:0|25[0-5]|2[0-4]\d|1\d?\d?|[1-9]\d?)){3}'
ipv6_re = r'\[[0-9a-f:\.]+\]' # (simple regex, validated later)
# Host patterns
@@ -253,9 +253,26 @@ validate_unicode_slug = RegexValidator(
'invalid'
)
-ipv4_re = _lazy_re_compile(r'^(25[0-5]|2[0-4][0-9]|[0-1]?[0-9]?[0-9])(\.(25[0-5]|2[0-4][0-9]|[0-1]?[0-9]?[0-9])){3}\Z')
-validate_ipv4_address = RegexValidator(ipv4_re, _('Enter a valid IPv4 address.'), 'invalid')
+ipv4_re = _lazy_re_compile(r'(?:0|25[0-5]|2[0-4]\d|1\d?\d?|[1-9]\d?)(?:\.(?:0|25[0-5]|2[0-4]\d|1\d?\d?|[1-9]\d?)){3}')
+_validate_ipv4_address = RegexValidator(ipv4_re, _('Enter a valid IPv4 address.'), 'invalid')
+def validate_ipv4_address(value):
+ try:
+ _validate_ipv4_address(value)
+ except ValidationError:
+ raise ValidationError(_('Enter a valid IPv4 address.'), code='invalid')
+ else:
+ # Leading zeros are forbidden to avoid ambiguity with the octal
+ # notation. This restriction is included in Python 3.9.5+.
+ # TODO: Remove when dropping support for PY39.
+ if any(
+ octet != '0' and octet[0] == '0'
+ for octet in value.split('.')
+ ):
+ raise ValidationError(
+ _('Enter a valid IPv4 address.'),
+ code='invalid',
+ )
def validate_ipv6_address(value):
if not is_valid_ipv6_address(value):
diff --git a/tests/validators/invalid_urls.txt b/tests/validators/invalid_urls.txt
index 04a0b5fb1b5f..4cbaa55eb48e 100644
--- a/tests/validators/invalid_urls.txt
+++ b/tests/validators/invalid_urls.txt
@@ -46,6 +46,14 @@ http://1.1.1.1.1
http://123.123.123
http://3628126748
http://123
+http://000.000.000.000
+http://016.016.016.016
+http://192.168.000.001
+http://01.2.3.4
+http://01.2.3.4
+http://1.02.3.4
+http://1.2.03.4
+http://1.2.3.04
http://.www.foo.bar/
http://.www.foo.bar./
http://[::1:2::3]:8080/
diff --git a/tests/validators/tests.py b/tests/validators/tests.py
index 4ef8a524b121..5a544ab92ddb 100644
--- a/tests/validators/tests.py
+++ b/tests/validators/tests.py
@@ -140,6 +140,16 @@ TEST_DATA = [
(validate_ipv4_address, '1.1.1.1\n', ValidationError),
(validate_ipv4_address, '٧.2٥.3٣.243', ValidationError),
+ # Leading zeros are forbidden to avoid ambiguity with the octal notation.
+ (validate_ipv4_address, '000.000.000.000', ValidationError),
+ (validate_ipv4_address, '016.016.016.016', ValidationError),
+ (validate_ipv4_address, '192.168.000.001', ValidationError),
+ (validate_ipv4_address, '01.2.3.4', ValidationError),
+ (validate_ipv4_address, '01.2.3.4', ValidationError),
+ (validate_ipv4_address, '1.02.3.4', ValidationError),
+ (validate_ipv4_address, '1.2.03.4', ValidationError),
+ (validate_ipv4_address, '1.2.3.04', ValidationError),
+
# validate_ipv6_address uses django.utils.ipv6, which
# is tested in much greater detail in its own testcase
(validate_ipv6_address, 'fe80::1', None),
@@ -165,6 +175,16 @@ TEST_DATA = [
(validate_ipv46_address, '::zzz', ValidationError),
(validate_ipv46_address, '12345::', ValidationError),
+ # Leading zeros are forbidden to avoid ambiguity with the octal notation.
+ (validate_ipv46_address, '000.000.000.000', ValidationError),
+ (validate_ipv46_address, '016.016.016.016', ValidationError),
+ (validate_ipv46_address, '192.168.000.001', ValidationError),
+ (validate_ipv46_address, '01.2.3.4', ValidationError),
+ (validate_ipv46_address, '01.2.3.4', ValidationError),
+ (validate_ipv46_address, '1.02.3.4', ValidationError),
+ (validate_ipv46_address, '1.2.03.4', ValidationError),
+ (validate_ipv46_address, '1.2.3.04', ValidationError),
+
(validate_comma_separated_integer_list, '1', None),
(validate_comma_separated_integer_list, '12', None),
(validate_comma_separated_integer_list, '1,2', None),
diff --git a/tests/validators/valid_urls.txt b/tests/validators/valid_urls.txt
index 4bc8c03059c0..83f68eea364f 100644
--- a/tests/validators/valid_urls.txt
+++ b/tests/validators/valid_urls.txt
@@ -63,6 +63,12 @@ http://0.0.0.0/
http://255.255.255.255
http://224.0.0.0
http://224.1.1.1
+http://111.112.113.114/
+http://88.88.88.88/
+http://11.12.13.14/
+http://10.20.30.40/
+http://1.2.3.4/
+http://127.0.01.09.home.lan
http://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.example.com
http://example.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com
http://example.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa